GlassWorm Malware Campaign Hits macOS via Compromised OpenVSX Extensions

February 3, 2026 Faeem BLOGS 0

A new GlassWorm attack has been uncovered targeting macOS systems through compromised OpenVSX extensions, focusing on theft of passwords, crypto‑wallet data, developer credentials, and configurations.

Key Details

  • Attack vector: Threat actors compromised the account of legitimate developer oorzc.
  • Extensions trojanized (Jan 30, 2026):
    • oorzc.ssh-tools v0.5.1
    • oorzc.i18n-tools-plus v1.6.8
    • oorzc.mind-map v1.0.61
    • oorzc.scss-to-css-compile v1.3.4
  • Scale: Extensions had been downloaded 22,000 times before malicious updates.
  • Technique: Malicious code hidden with “invisible” Unicode characters.

Malware Capabilities

  • Persistence: Establishes a LaunchAgent to execute at login.
  • Data theft:
    • Browser data (Firefox, Chromium).
    • Wallet extensions/apps (crypto wallets).
    • macOS Keychain data.
    • Apple Notes databases.
    • Safari cookies.
    • Developer secrets and local documents.
  • Exfiltration: Data sent to attacker infrastructure at 45.32.150[.]251.
  • Additional features: VNC‑based remote access and SOCKS proxying.

Campaign Characteristics

  • Targeting: macOS systems exclusively.
  • Instructions pulled from: Solana transaction memos.
  • Locale exclusion: Russian systems excluded, hinting at attacker origin.
  • Evolution: Earlier GlassWorm waves hit both VS Code Marketplace and OpenVSX.
  • Goal: Theft of developer credentials and crypto assets.

Response & Mitigation

  • Socket Security reported the malicious packages to the Eclipse Foundation.
  • Tokens revoked, malicious releases removed.
  • Exception: oorzc.ssh-tools removed entirely due to multiple malicious releases.
  • Current status: Clean versions available, but users who installed compromised builds must:
    • Perform full system clean‑up.
    • Rotate all secrets and passwords.
    • Audit developer environments for persistence mechanisms.

Takeaway

GlassWorm demonstrates how developer ecosystems can be weaponized through account compromise and extension trojanization. The campaign’s use of crypto‑linked infrastructure (Solana memos) and locale‑based targeting shows a sophisticated, evolving threat aimed at both financial theft and developer espionage.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.